Commit d3dc2da9b27af5b90575d62989389cc65fe7977c
2021-06-30T18:22:29
* src/truetype/ttgxvar.c (tt_set_mm_blend): Test `coords`. It is undefined behavior to pass `NULL` to `memcpy`. `coords' is passed to `memcpy` but `TT_Get_MM_Blend` and `TT_Get_Var_Design` explictly call `tt_set_mm_blend` with `coords` as `NULL`. In addition, `TT_Set_MM_Blend` has a similar possible issue.
diff --git a/ChangeLog b/ChangeLog
index 9209ea8..34552ca 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2021-07-01 Ben Wagner <bungeman@chromium.org>
+
+ * src/truetype/ttgxvar.c (tt_set_mm_blend): Test `coords`.
+
+ It is undefined behavior to pass `NULL` to `memcpy`. `coords' is
+ passed to `memcpy` but `TT_Get_MM_Blend` and `TT_Get_Var_Design`
+ explictly call `tt_set_mm_blend` with `coords` as `NULL`. In
+ addition, `TT_Set_MM_Blend` has a similar possible issue.
+
2021-06-30 Dominik Röttsches <drott@chromium.org>
[sfnt] Support PaintScale in 'COLR' v1 parsing.
diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
index ad87746..aad3e29 100644
--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
@@ -2663,9 +2663,10 @@
}
blend->num_axis = mmvar->num_axis;
- FT_MEM_COPY( blend->normalizedcoords,
- coords,
- num_coords * sizeof ( FT_Fixed ) );
+ if ( coords )
+ FT_MEM_COPY( blend->normalizedcoords,
+ coords,
+ num_coords * sizeof ( FT_Fixed ) );
if ( set_design_coords )
ft_var_to_design( face,